How To Protect Average Americans From Russian Hacks
Believe it or not, the time may be ripe for a cyber deal with Russia that would aim to protect average Americans from cyber hacks during peacetime. While the idea might not sit well with those investigating Russia’s interference in the 2016 presidential election, the United States would lose nothing by seeing whether an accord might work.
At a similar juncture in 2015, the United States was able to reach a cyber accord with China. Beijing, like Moscow now, had just been blamed for a massive hack. China was accused of stealing security clearance records for millions of government employees and contractors at the U.S. Office of Personnel Management, leaving U.S. intelligence officers unmasked and vulnerable to blackmail. The U.S. Justice Department charged five Chinese military officers—just as it has now charged two Russian intelligence officers—with cybercrimes.
The China case centered on corporate espionage against U.S. companies, and marked the first time that cyber charges had been brought against foreign officials by any country. China agreed to mutual limits with the United States on corporate espionage, fearing that sanctions might otherwise follow. The accord seems to have had at least some affect, as Chinese corporate hacking against the United States fell in its aftermath, even though no one knows how long the accord will last, or whether Chinese hackers have just gotten more sophisticated about hiding their intrusions.
A different type of agreement with Russia would serve U.S. interests better. Rather than pledging not to engage in cyber espionage—a pledge that is unverifiable, since effective espionage efforts are never discovered, and unreasonable, given the high levels of distrust between the two sides and hence a need to spy wherever possible—a new accord, as I outline in a new Council on Foreign Relations report, could pledge not to reveal civilian data gained from hacking, and not to otherwise harm civilians in peacetime. In other words, Moscow and Washington would forswear doing anything like the Democratic National Committee WikiLeaks release in the future.
Russian President Vladimir Putin might agree to this because he faces his own presidential election in 2018, and has an incentive to protect himself and his allies from U.S. hacking designed to embarrass him. Moscow may also believe that hacking served its purpose, seeing the 2016 DNC attacks as retaliation for what it deemed U.S. political interference in the 2014 Ukraine Maidan uprising and the earlier 2011-2012 protests against Putin at home. (Many Russians also see it as retribution for the Panama Papers leak, which they believe was a U.S. Central Intelligence Agency plot, despite the lack of evidence.)
Reaching an accord with the United States on cyber issues would also allow Putin to portray himself as a man who solved one of the greatest security threats of our time by forcing the United States to the negotiating table. (A similar Putin maneuver, the proposal to remove chemical weapons from Syria under United Nations oversight in 2013, also served U.S. security interests even though it was portrayed as an embarrassment for then-U.S. President Barack Obama.) Reaching an agreement now might also short-circuit current efforts in the U.S. Senate to enact further sanctions against Russia, paralleling for Moscow the incentive Beijing faced in 2015.
While attribution in the cyber world is never 100% certain, an accord with Moscow would not need government oversight to be politically enforceable. The most damning description of Russia’s DNC hacking in 2016 came not from the controversial report released by U.S. intelligence agencies in December 2016, but instead from the private cyber firm CrowdStrike the previous June. CrowdStrike was hired by the DNC to investigate the data breach, and published its detailed report on its own website. Other private U.S cyber security firms like Mandiant/FireEye and Fidelis were able to confirm CrowdStrike’s findings.
The vibrant global private cyber security sector has a strong incentive to expose cyber attackers and publicize their methods, because it is good business to do so. Even if attribution were not legally binding, Russia could easily be shamed for its failure to abide by the agreement by private companies, giving the Kremlin further incentive to leash its hackers.
Finally, because the U.S. civilian economy and its growing Internet of things—self-driving cars, Wi-Fi home security systems, internet-enabled medical devices, and yes, microwave ovens—is so vulnerable to cyber-attack, Washington has no incentive to start a cyber war itself. And if Putin says no to a U.S. proposal, he will go down in history as the man who was not interested in protecting civilians in peacetime from cyber war.
The date of the first summit between Trump and Putin has not yet been announced, but a cyber accord should be the first item on its agenda.
Kimberly Marten is the Ann Whitney Olin Professor of Political Science at Barnard College, Columbia University, and Director of the Program on U.S.-Russia Relations at Columbia’s Harriman Institute. She is the author of the new Council on Foreign Relations report, Reducing Tensions Between Russia and NATO.